Why are Discovered Item created without a Vulnerable item from Qualys Integration?

HelloCAD · ‎03-07-2025

I see that there are Discovered Items from Qualys integration that do not have an associated Vulnerable Item, and the CI is created for that Discovered Item (created from IRE).

I want to limit creation of new CIs so new CIs are not created for those Items that do not have an active Vulnerability.

Please let me know how to achieve this?

Marc Hall · ‎06-20-2025

Hi Andy,

Is there anything similar for Rapid7 and Microsoft Defender for Endpoint?

Thx

andy_ojha · ‎06-20-2025

Hey Marc,

Yes there are filtering capabilities, similar to this for Rapid7 InsightVM and Microsoft TVM / Endpoint

Linking here to Docs/Community threads for both on the respective asset filtering for Rapid7 IVM:

- https://www.servicenow.com/community/secops-forum/filter-rapid7-data-based-on-asset-tags/m-p/3223337

- https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secops-integration-...

For Microsoft TVM, and filtering at the asset layer, it boils down to the `machine_filter` and the Microsoft "OData" Query:

- https://www.servicenow.com/community/secops-vr-forum-read-only/microsoft-threat-and-vulnerability-in...

- https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secops-integration-...

- Example: 'machine_filter: onboardingStatus eq 'Onboarded' and machineTags/any(tag: contains(tag, 'EU_'))"

For Microsoft TVM, filtering not just the assets, but detections on assets, it is a bit more involved (there is a KB article linked to this thread):
- https://www.servicenow.com/community/secops-forum/machine-filter-on-vulnerability-response-microsoft...